198 * Create all secret key objects in a global session so that they are available |
204 * Create all secret key objects in a global session so that they are available |
199 * to use for other sessions. These other sessions may be opened or closed |
205 * to use for other sessions. These other sessions may be opened or closed |
200 * without losing the secret key objects. |
206 * without losing the secret key objects. |
201 */ |
207 */ |
202 static CK_SESSION_HANDLE global_session = CK_INVALID_HANDLE; |
208 static CK_SESSION_HANDLE global_session = CK_INVALID_HANDLE; |
|
209 |
|
210 /* Index for the supported ciphers */ |
|
211 enum pk11_cipher_id { |
|
212 PK11_DES_CBC, |
|
213 PK11_DES3_CBC, |
|
214 PK11_DES_ECB, |
|
215 PK11_DES3_ECB, |
|
216 PK11_RC4, |
|
217 PK11_AES_128_CBC, |
|
218 PK11_AES_192_CBC, |
|
219 PK11_AES_256_CBC, |
|
220 PK11_AES_128_ECB, |
|
221 PK11_AES_192_ECB, |
|
222 PK11_AES_256_ECB, |
|
223 PK11_BLOWFISH_CBC, |
|
224 #ifdef SOLARIS_AES_CTR |
|
225 PK11_AES_128_CTR, |
|
226 PK11_AES_192_CTR, |
|
227 PK11_AES_256_CTR, |
|
228 #endif /* SOLARIS_AES_CTR */ |
|
229 PK11_CIPHER_MAX |
|
230 }; |
|
231 |
|
232 /* Index for the supported digests */ |
|
233 enum pk11_digest_id { |
|
234 PK11_MD5, |
|
235 PK11_SHA1, |
|
236 PK11_SHA224, |
|
237 PK11_SHA256, |
|
238 PK11_SHA384, |
|
239 PK11_SHA512, |
|
240 PK11_DIGEST_MAX |
|
241 }; |
|
242 |
|
243 typedef struct PK11_CIPHER_st |
|
244 { |
|
245 enum pk11_cipher_id id; |
|
246 int nid; |
|
247 int iv_len; |
|
248 int min_key_len; |
|
249 int max_key_len; |
|
250 CK_KEY_TYPE key_type; |
|
251 CK_MECHANISM_TYPE mech_type; |
|
252 } PK11_CIPHER; |
|
253 |
|
254 typedef struct PK11_DIGEST_st |
|
255 { |
|
256 enum pk11_digest_id id; |
|
257 int nid; |
|
258 CK_MECHANISM_TYPE mech_type; |
|
259 } PK11_DIGEST; |
203 |
260 |
204 /* ENGINE level stuff */ |
261 /* ENGINE level stuff */ |
205 static int pk11_init(ENGINE *e); |
262 static int pk11_init(ENGINE *e); |
206 static int pk11_library_init(ENGINE *e); |
263 static int pk11_library_init(ENGINE *e); |
207 static int pk11_finish(ENGINE *e); |
264 static int pk11_finish(ENGINE *e); |
285 int *local_cipher_nids); |
342 int *local_cipher_nids); |
286 static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist, |
343 static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist, |
287 CK_SLOT_ID current_slot, int *current_slot_n_digest, |
344 CK_SLOT_ID current_slot, int *current_slot_n_digest, |
288 int *local_digest_nids); |
345 int *local_digest_nids); |
289 static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id, |
346 static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id, |
290 CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids, |
347 int *current_slot_n_cipher, int *local_cipher_nids, |
291 int id); |
348 PK11_CIPHER *cipher); |
292 static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id, |
349 static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id, |
293 CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids, |
350 int *current_slot_n_digest, int *local_digest_nids, |
294 int id); |
351 PK11_DIGEST *digest); |
295 |
352 |
296 static int pk11_init_all_locks(void); |
353 static int pk11_init_all_locks(void); |
297 static void pk11_free_all_locks(void); |
354 static void pk11_free_all_locks(void); |
298 |
355 |
299 #ifdef SOLARIS_HW_SLOT_SELECTION |
356 #ifdef SOLARIS_HW_SLOT_SELECTION |
300 static int check_hw_mechanisms(void); |
357 static int check_hw_mechanisms(void); |
301 static int nid_in_table(int nid, int *nid_table); |
358 static int nid_in_table(int nid, int *nid_table); |
302 static int hw_aes_instruction_set_present(void); |
359 static int hw_aes_instruction_set_present(void); |
303 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
360 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
304 |
|
305 /* Index for the supported ciphers */ |
|
306 enum pk11_cipher_id { |
|
307 PK11_DES_CBC, |
|
308 PK11_DES3_CBC, |
|
309 PK11_DES_ECB, |
|
310 PK11_DES3_ECB, |
|
311 PK11_RC4, |
|
312 PK11_AES_128_CBC, |
|
313 PK11_AES_192_CBC, |
|
314 PK11_AES_256_CBC, |
|
315 PK11_AES_128_ECB, |
|
316 PK11_AES_192_ECB, |
|
317 PK11_AES_256_ECB, |
|
318 PK11_BLOWFISH_CBC, |
|
319 #ifdef SOLARIS_AES_CTR |
|
320 PK11_AES_128_CTR, |
|
321 PK11_AES_192_CTR, |
|
322 PK11_AES_256_CTR, |
|
323 #endif /* SOLARIS_AES_CTR */ |
|
324 PK11_CIPHER_MAX |
|
325 }; |
|
326 |
|
327 /* Index for the supported digests */ |
|
328 enum pk11_digest_id { |
|
329 PK11_MD5, |
|
330 PK11_SHA1, |
|
331 PK11_SHA224, |
|
332 PK11_SHA256, |
|
333 PK11_SHA384, |
|
334 PK11_SHA512, |
|
335 PK11_DIGEST_MAX |
|
336 }; |
|
337 |
361 |
338 #define TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type) \ |
362 #define TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type) \ |
339 { \ |
363 { \ |
340 if (uselock) \ |
364 if (uselock) \ |
341 LOCK_OBJSTORE(alg_type); \ |
365 LOCK_OBJSTORE(alg_type); \ |
355 static CK_BBOOL pk11_have_rsa = CK_FALSE; |
379 static CK_BBOOL pk11_have_rsa = CK_FALSE; |
356 static CK_BBOOL pk11_have_dsa = CK_FALSE; |
380 static CK_BBOOL pk11_have_dsa = CK_FALSE; |
357 static CK_BBOOL pk11_have_dh = CK_FALSE; |
381 static CK_BBOOL pk11_have_dh = CK_FALSE; |
358 static CK_BBOOL pk11_have_random = CK_FALSE; |
382 static CK_BBOOL pk11_have_random = CK_FALSE; |
359 |
383 |
360 typedef struct PK11_CIPHER_st |
384 /* |
361 { |
385 * Static list of ciphers. |
362 enum pk11_cipher_id id; |
386 * Note, that ciphers array is indexed by member PK11_CIPHER.id, |
363 int nid; |
387 * thus ciphers[i].id == i |
364 int iv_len; |
388 * Rows must be kept in sync with enum pk11_cipher_id. |
365 int min_key_len; |
389 */ |
366 int max_key_len; |
|
367 CK_KEY_TYPE key_type; |
|
368 CK_MECHANISM_TYPE mech_type; |
|
369 } PK11_CIPHER; |
|
370 |
|
371 static PK11_CIPHER ciphers[] = |
390 static PK11_CIPHER ciphers[] = |
372 { |
391 { |
373 { PK11_DES_CBC, NID_des_cbc, 8, 8, 8, |
392 { PK11_DES_CBC, NID_des_cbc, 8, 8, 8, |
374 CKK_DES, CKM_DES_CBC, }, |
393 CKK_DES, CKM_DES_CBC, }, |
375 { PK11_DES3_CBC, NID_des_ede3_cbc, 8, 24, 24, |
394 { PK11_DES3_CBC, NID_des_ede3_cbc, 8, 24, 24, |
403 { PK11_AES_256_CTR, NID_undef, 16, 32, 32, |
422 { PK11_AES_256_CTR, NID_undef, 16, 32, 32, |
404 CKK_AES, CKM_AES_CTR, }, |
423 CKK_AES, CKM_AES_CTR, }, |
405 #endif /* SOLARIS_AES_CTR */ |
424 #endif /* SOLARIS_AES_CTR */ |
406 }; |
425 }; |
407 |
426 |
408 typedef struct PK11_DIGEST_st |
427 /* |
409 { |
428 * Static list of digests. |
410 enum pk11_digest_id id; |
429 * Note, that digests array is indexed by member PK11_DIGEST.id, |
411 int nid; |
430 * thus digests[i].id == i |
412 CK_MECHANISM_TYPE mech_type; |
431 * Rows must be kept in sync with enum pk11_digest_id. |
413 } PK11_DIGEST; |
432 */ |
414 |
|
415 static PK11_DIGEST digests[] = |
433 static PK11_DIGEST digests[] = |
416 { |
434 { |
417 {PK11_MD5, NID_md5, CKM_MD5, }, |
435 {PK11_MD5, NID_md5, CKM_MD5, }, |
418 {PK11_SHA1, NID_sha1, CKM_SHA_1, }, |
436 {PK11_SHA1, NID_sha1, CKM_SHA_1, }, |
419 {PK11_SHA224, NID_sha224, CKM_SHA224, }, |
437 {PK11_SHA224, NID_sha224, CKM_SHA224, }, |
940 { |
958 { |
941 if (!ENGINE_set_RSA(e, PK11_RSA()) || |
959 if (!ENGINE_set_RSA(e, PK11_RSA()) || |
942 !ENGINE_set_load_privkey_function(e, pk11_load_privkey) || |
960 !ENGINE_set_load_privkey_function(e, pk11_load_privkey) || |
943 !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey)) |
961 !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey)) |
944 return (0); |
962 return (0); |
945 #ifdef DEBUG_SLOT_SELECTION |
963 DEBUG_SLOT_SEL("%s: registered RSA\n", PK11_DBG); |
946 fprintf(stderr, "%s: registered RSA\n", PK11_DBG); |
|
947 #endif /* DEBUG_SLOT_SELECTION */ |
|
948 } |
964 } |
949 #endif /* OPENSSL_NO_RSA */ |
965 #endif /* OPENSSL_NO_RSA */ |
950 #ifndef OPENSSL_NO_DSA |
966 #ifndef OPENSSL_NO_DSA |
951 if (pk11_have_dsa == CK_TRUE) |
967 if (pk11_have_dsa == CK_TRUE) |
952 { |
968 { |
953 if (!ENGINE_set_DSA(e, PK11_DSA())) |
969 if (!ENGINE_set_DSA(e, PK11_DSA())) |
954 return (0); |
970 return (0); |
955 #ifdef DEBUG_SLOT_SELECTION |
971 DEBUG_SLOT_SEL("%s: registered DSA\n", PK11_DBG); |
956 fprintf(stderr, "%s: registered DSA\n", PK11_DBG); |
|
957 #endif /* DEBUG_SLOT_SELECTION */ |
|
958 } |
972 } |
959 #endif /* OPENSSL_NO_DSA */ |
973 #endif /* OPENSSL_NO_DSA */ |
960 #ifndef OPENSSL_NO_DH |
974 #ifndef OPENSSL_NO_DH |
961 if (pk11_have_dh == CK_TRUE) |
975 if (pk11_have_dh == CK_TRUE) |
962 { |
976 { |
963 if (!ENGINE_set_DH(e, PK11_DH())) |
977 if (!ENGINE_set_DH(e, PK11_DH())) |
964 return (0); |
978 return (0); |
965 #ifdef DEBUG_SLOT_SELECTION |
979 DEBUG_SLOT_SEL("%s: registered DH\n", PK11_DBG); |
966 fprintf(stderr, "%s: registered DH\n", PK11_DBG); |
|
967 #endif /* DEBUG_SLOT_SELECTION */ |
|
968 } |
980 } |
969 #endif /* OPENSSL_NO_DH */ |
981 #endif /* OPENSSL_NO_DH */ |
970 if (pk11_have_random) |
982 if (pk11_have_random) |
971 { |
983 { |
972 if (!ENGINE_set_RAND(e, &pk11_random)) |
984 if (!ENGINE_set_RAND(e, &pk11_random)) |
973 return (0); |
985 return (0); |
974 #ifdef DEBUG_SLOT_SELECTION |
986 DEBUG_SLOT_SEL("%s: registered random\n", PK11_DBG); |
975 fprintf(stderr, "%s: registered random\n", PK11_DBG); |
|
976 #endif /* DEBUG_SLOT_SELECTION */ |
|
977 } |
987 } |
978 if (!ENGINE_set_init_function(e, pk11_init) || |
988 if (!ENGINE_set_init_function(e, pk11_init) || |
979 !ENGINE_set_destroy_function(e, pk11_destroy) || |
989 !ENGINE_set_destroy_function(e, pk11_destroy) || |
980 !ENGINE_set_finish_function(e, pk11_finish) || |
990 !ENGINE_set_finish_function(e, pk11_finish) || |
981 !ENGINE_set_ctrl_function(e, pk11_ctrl) || |
991 !ENGINE_set_ctrl_function(e, pk11_ctrl) || |
3210 PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv); |
3214 PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv); |
3211 OPENSSL_free(pSlotList); |
3215 OPENSSL_free(pSlotList); |
3212 return (0); |
3216 return (0); |
3213 } |
3217 } |
3214 |
3218 |
3215 #ifdef DEBUG_SLOT_SELECTION |
3219 DEBUG_SLOT_SEL("%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME); |
3216 fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME); |
3220 DEBUG_SLOT_SEL("%s: number of slots: %d\n", PK11_DBG, ulSlotCount); |
3217 fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount); |
3221 |
3218 |
3222 DEBUG_SLOT_SEL("%s: == checking rand slots ==\n", PK11_DBG); |
3219 fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG); |
|
3220 #endif /* DEBUG_SLOT_SELECTION */ |
|
3221 for (i = 0; i < ulSlotCount; i++) |
3223 for (i = 0; i < ulSlotCount; i++) |
3222 { |
3224 { |
3223 current_slot = pSlotList[i]; |
3225 current_slot = pSlotList[i]; |
3224 |
3226 |
3225 #ifdef DEBUG_SLOT_SELECTION |
3227 DEBUG_SLOT_SEL("%s: checking slot: %d\n", PK11_DBG, i); |
3226 fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i); |
|
3227 #endif /* DEBUG_SLOT_SELECTION */ |
|
3228 /* Check if slot has random support. */ |
3228 /* Check if slot has random support. */ |
3229 rv = pFuncList->C_GetTokenInfo(current_slot, &token_info); |
3229 rv = pFuncList->C_GetTokenInfo(current_slot, &token_info); |
3230 if (rv != CKR_OK) |
3230 if (rv != CKR_OK) |
3231 continue; |
3231 continue; |
3232 |
3232 |
3233 #ifdef DEBUG_SLOT_SELECTION |
3233 DEBUG_SLOT_SEL("%s: token label: %.32s\n", PK11_DBG, |
3234 fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label); |
3234 token_info.label); |
3235 #endif /* DEBUG_SLOT_SELECTION */ |
|
3236 |
3235 |
3237 if (token_info.flags & CKF_RNG) |
3236 if (token_info.flags & CKF_RNG) |
3238 { |
3237 { |
3239 #ifdef DEBUG_SLOT_SELECTION |
3238 DEBUG_SLOT_SEL( |
3240 fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG); |
3239 "%s: this token has CKF_RNG flag\n", PK11_DBG); |
3241 #endif /* DEBUG_SLOT_SELECTION */ |
|
3242 pk11_have_random = CK_TRUE; |
3240 pk11_have_random = CK_TRUE; |
3243 rand_SLOTID = current_slot; |
3241 rand_SLOTID = current_slot; |
3244 break; |
3242 break; |
3245 } |
3243 } |
3246 } |
3244 } |
3247 |
3245 |
3248 #ifdef DEBUG_SLOT_SELECTION |
3246 DEBUG_SLOT_SEL("%s: == checking pubkey slots ==\n", PK11_DBG); |
3249 fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG); |
|
3250 #endif /* DEBUG_SLOT_SELECTION */ |
|
3251 |
3247 |
3252 pubkey_SLOTID = pSlotList[0]; |
3248 pubkey_SLOTID = pSlotList[0]; |
3253 for (i = 0; i < ulSlotCount; i++) |
3249 for (i = 0; i < ulSlotCount; i++) |
3254 { |
3250 { |
3255 CK_BBOOL slot_has_rsa = CK_FALSE; |
3251 CK_BBOOL slot_has_rsa = CK_FALSE; |
3256 CK_BBOOL slot_has_dsa = CK_FALSE; |
3252 CK_BBOOL slot_has_dsa = CK_FALSE; |
3257 CK_BBOOL slot_has_dh = CK_FALSE; |
3253 CK_BBOOL slot_has_dh = CK_FALSE; |
3258 current_slot = pSlotList[i]; |
3254 current_slot = pSlotList[i]; |
3259 |
3255 |
3260 #ifdef DEBUG_SLOT_SELECTION |
3256 DEBUG_SLOT_SEL("%s: checking slot: %d\n", PK11_DBG, i); |
3261 fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i); |
|
3262 #endif /* DEBUG_SLOT_SELECTION */ |
|
3263 rv = pFuncList->C_GetTokenInfo(current_slot, &token_info); |
3257 rv = pFuncList->C_GetTokenInfo(current_slot, &token_info); |
3264 if (rv != CKR_OK) |
3258 if (rv != CKR_OK) |
3265 continue; |
3259 continue; |
3266 |
3260 |
3267 #ifdef DEBUG_SLOT_SELECTION |
3261 DEBUG_SLOT_SEL("%s: token label: %.32s\n", PK11_DBG, |
3268 fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label); |
3262 token_info.label); |
3269 #endif /* DEBUG_SLOT_SELECTION */ |
|
3270 |
3263 |
3271 #ifndef OPENSSL_NO_RSA |
3264 #ifndef OPENSSL_NO_RSA |
3272 /* |
3265 /* |
3273 * Check if this slot is capable of signing and |
3266 * Check if this slot is capable of signing and |
3274 * verifying with CKM_RSA_PKCS. |
3267 * verifying with CKM_RSA_PKCS. |
3332 #endif /* OPENSSL_NO_DH */ |
3325 #endif /* OPENSSL_NO_DH */ |
3333 |
3326 |
3334 if (!found_candidate_slot && |
3327 if (!found_candidate_slot && |
3335 (slot_has_rsa || slot_has_dsa || slot_has_dh)) |
3328 (slot_has_rsa || slot_has_dsa || slot_has_dh)) |
3336 { |
3329 { |
3337 #ifdef DEBUG_SLOT_SELECTION |
3330 DEBUG_SLOT_SEL( |
3338 fprintf(stderr, |
|
3339 "%s: potential slot: %d\n", PK11_DBG, current_slot); |
3331 "%s: potential slot: %d\n", PK11_DBG, current_slot); |
3340 #endif /* DEBUG_SLOT_SELECTION */ |
|
3341 best_slot_sofar = current_slot; |
3332 best_slot_sofar = current_slot; |
3342 pk11_have_rsa = slot_has_rsa; |
3333 pk11_have_rsa = slot_has_rsa; |
3343 pk11_have_dsa = slot_has_dsa; |
3334 pk11_have_dsa = slot_has_dsa; |
3344 pk11_have_dh = slot_has_dh; |
3335 pk11_have_dh = slot_has_dh; |
3345 found_candidate_slot = CK_TRUE; |
3336 found_candidate_slot = CK_TRUE; |
3346 /* |
3337 /* |
3347 * Cache the flags for later use. We might need those if |
3338 * Cache the flags for later use. We might need those if |
3348 * RSA keys by reference feature is used. |
3339 * RSA keys by reference feature is used. |
3349 */ |
3340 */ |
3350 pubkey_token_flags = token_info.flags; |
3341 pubkey_token_flags = token_info.flags; |
3351 #ifdef DEBUG_SLOT_SELECTION |
3342 DEBUG_SLOT_SEL( |
3352 fprintf(stderr, |
|
3353 "%s: setting found_candidate_slot to CK_TRUE\n", |
3343 "%s: setting found_candidate_slot to CK_TRUE\n", |
3354 PK11_DBG); |
3344 PK11_DBG); |
3355 fprintf(stderr, |
3345 DEBUG_SLOT_SEL("%s: best slot so far: %d\n", PK11_DBG, |
3356 "%s: best so far slot: %d\n", PK11_DBG, |
|
3357 best_slot_sofar); |
3346 best_slot_sofar); |
3358 fprintf(stderr, "%s: pubkey flags changed to " |
3347 DEBUG_SLOT_SEL("%s: pubkey flags changed to " |
3359 "%lu.\n", PK11_DBG, pubkey_token_flags); |
3348 "%lu.\n", PK11_DBG, pubkey_token_flags); |
3360 } |
3349 } |
3361 else |
3350 else |
3362 { |
3351 { |
3363 fprintf(stderr, |
3352 DEBUG_SLOT_SEL("%s: no rsa/dsa/dh\n", PK11_DBG); |
3364 "%s: no rsa/dsa/dh\n", PK11_DBG); |
3353 } |
3365 } |
|
3366 #else |
|
3367 } /* if */ |
|
3368 #endif /* DEBUG_SLOT_SELECTION */ |
|
3369 } /* for */ |
3354 } /* for */ |
3370 |
3355 |
3371 if (found_candidate_slot == CK_TRUE) |
3356 if (found_candidate_slot == CK_TRUE) |
3372 { |
3357 { |
3373 pubkey_SLOTID = best_slot_sofar; |
3358 pubkey_SLOTID = best_slot_sofar; |
3374 } |
3359 } |
3375 |
3360 |
3376 found_candidate_slot = CK_FALSE; |
3361 found_candidate_slot = CK_FALSE; |
3377 best_slot_sofar = 0; |
3362 best_slot_sofar = 0; |
3378 |
3363 |
3379 #ifdef DEBUG_SLOT_SELECTION |
3364 DEBUG_SLOT_SEL("%s: == checking cipher/digest ==\n", PK11_DBG); |
3380 fprintf(stderr, "%s: == checking cipher/digest ==\n", PK11_DBG); |
|
3381 #endif /* DEBUG_SLOT_SELECTION */ |
|
3382 |
3365 |
3383 SLOTID = pSlotList[0]; |
3366 SLOTID = pSlotList[0]; |
3384 for (i = 0; i < ulSlotCount; i++) |
3367 for (i = 0; i < ulSlotCount; i++) |
3385 { |
3368 { |
3386 #ifdef DEBUG_SLOT_SELECTION |
3369 DEBUG_SLOT_SEL("%s: checking slot: %d\n", PK11_DBG, i); |
3387 fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i); |
|
3388 #endif /* DEBUG_SLOT_SELECTION */ |
|
3389 |
3370 |
3390 current_slot = pSlotList[i]; |
3371 current_slot = pSlotList[i]; |
3391 current_slot_n_cipher = 0; |
3372 current_slot_n_cipher = 0; |
3392 current_slot_n_digest = 0; |
3373 current_slot_n_digest = 0; |
3393 (void) memset(local_cipher_nids, 0, sizeof (local_cipher_nids)); |
3374 (void) memset(local_cipher_nids, 0, sizeof (local_cipher_nids)); |
3397 ¤t_slot_n_cipher, local_cipher_nids); |
3378 ¤t_slot_n_cipher, local_cipher_nids); |
3398 |
3379 |
3399 pk11_find_digests(pFuncList, current_slot, |
3380 pk11_find_digests(pFuncList, current_slot, |
3400 ¤t_slot_n_digest, local_digest_nids); |
3381 ¤t_slot_n_digest, local_digest_nids); |
3401 |
3382 |
3402 #ifdef DEBUG_SLOT_SELECTION |
3383 DEBUG_SLOT_SEL("%s: current_slot_n_cipher %d\n", PK11_DBG, |
3403 fprintf(stderr, "%s: current_slot_n_cipher %d\n", PK11_DBG, |
|
3404 current_slot_n_cipher); |
3384 current_slot_n_cipher); |
3405 fprintf(stderr, "%s: current_slot_n_digest %d\n", PK11_DBG, |
3385 DEBUG_SLOT_SEL("%s: current_slot_n_digest %d\n", PK11_DBG, |
3406 current_slot_n_digest); |
3386 current_slot_n_digest); |
3407 fprintf(stderr, "%s: best so far cipher/digest slot: %d\n", |
3387 DEBUG_SLOT_SEL("%s: best cipher/digest slot so far: %d\n", |
3408 PK11_DBG, best_slot_sofar); |
3388 PK11_DBG, best_slot_sofar); |
3409 #endif /* DEBUG_SLOT_SELECTION */ |
|
3410 |
3389 |
3411 /* |
3390 /* |
3412 * If the current slot supports more ciphers/digests than |
3391 * If the current slot supports more ciphers/digests than |
3413 * the previous best one we change the current best to this one, |
3392 * the previous best one we change the current best to this one, |
3414 * otherwise leave it where it is. |
3393 * otherwise leave it where it is. |
3415 */ |
3394 */ |
3416 if ((current_slot_n_cipher + current_slot_n_digest) > |
3395 if ((current_slot_n_cipher + current_slot_n_digest) > |
3417 (slot_n_cipher + slot_n_digest)) |
3396 (slot_n_cipher + slot_n_digest)) |
3418 { |
3397 { |
3419 #ifdef DEBUG_SLOT_SELECTION |
3398 DEBUG_SLOT_SEL("%s: changing best slot to %d\n", |
3420 fprintf(stderr, |
|
3421 "%s: changing best so far slot to %d\n", |
|
3422 PK11_DBG, current_slot); |
3399 PK11_DBG, current_slot); |
3423 #endif /* DEBUG_SLOT_SELECTION */ |
|
3424 best_slot_sofar = SLOTID = current_slot; |
3400 best_slot_sofar = SLOTID = current_slot; |
3425 cipher_count = slot_n_cipher = current_slot_n_cipher; |
3401 cipher_count = slot_n_cipher = current_slot_n_cipher; |
3426 digest_count = slot_n_digest = current_slot_n_digest; |
3402 digest_count = slot_n_digest = current_slot_n_digest; |
3427 (void) memcpy(cipher_nids, local_cipher_nids, |
3403 (void) memcpy(cipher_nids, local_cipher_nids, |
3428 sizeof (local_cipher_nids)); |
3404 sizeof (local_cipher_nids)); |
3429 (void) memcpy(digest_nids, local_digest_nids, |
3405 (void) memcpy(digest_nids, local_digest_nids, |
3430 sizeof (local_digest_nids)); |
3406 sizeof (local_digest_nids)); |
3431 } |
3407 } |
3432 } |
3408 } |
3433 |
3409 |
3434 #ifdef DEBUG_SLOT_SELECTION |
3410 DEBUG_SLOT_SEL("%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID); |
3435 fprintf(stderr, |
3411 DEBUG_SLOT_SEL("%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID); |
3436 "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID); |
3412 DEBUG_SLOT_SEL("%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID); |
3437 fprintf(stderr, |
3413 DEBUG_SLOT_SEL("%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa); |
3438 "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID); |
3414 DEBUG_SLOT_SEL("%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa); |
3439 fprintf(stderr, |
3415 DEBUG_SLOT_SEL("%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh); |
3440 "%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID); |
3416 DEBUG_SLOT_SEL("%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random); |
3441 fprintf(stderr, |
3417 DEBUG_SLOT_SEL("%s: cipher_count %d\n", PK11_DBG, cipher_count); |
3442 "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa); |
3418 DEBUG_SLOT_SEL("%s: digest_count %d\n", PK11_DBG, digest_count); |
3443 fprintf(stderr, |
|
3444 "%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa); |
|
3445 fprintf(stderr, |
|
3446 "%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh); |
|
3447 fprintf(stderr, |
|
3448 "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random); |
|
3449 fprintf(stderr, |
|
3450 "%s: cipher_count %d\n", PK11_DBG, cipher_count); |
|
3451 fprintf(stderr, |
|
3452 "%s: digest_count %d\n", PK11_DBG, digest_count); |
|
3453 #endif /* DEBUG_SLOT_SELECTION */ |
|
3454 |
3419 |
3455 if (pSlotList != NULL) |
3420 if (pSlotList != NULL) |
3456 OPENSSL_free(pSlotList); |
3421 OPENSSL_free(pSlotList); |
3457 |
3422 |
3458 #ifdef SOLARIS_HW_SLOT_SELECTION |
3423 #ifdef SOLARIS_HW_SLOT_SELECTION |
3464 *any_slot_found = 1; |
3429 *any_slot_found = 1; |
3465 return (1); |
3430 return (1); |
3466 } |
3431 } |
3467 |
3432 |
3468 static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR pflist, |
3433 static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR pflist, |
3469 int slot_id, CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, |
3434 int slot_id, int *current_slot_n_cipher, int *local_cipher_nids, |
3470 int *local_cipher_nids, int id) |
3435 PK11_CIPHER *cipher) |
3471 { |
3436 { |
3472 CK_MECHANISM_INFO mech_info; |
3437 CK_MECHANISM_INFO mech_info; |
3473 CK_RV rv; |
3438 CK_RV rv; |
3474 |
3439 |
3475 #ifdef DEBUG_SLOT_SELECTION |
3440 DEBUG_SLOT_SEL("%s: checking mech: %x", PK11_DBG, cipher->mech_type); |
3476 fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech); |
3441 rv = pflist->C_GetMechanismInfo(slot_id, cipher->mech_type, &mech_info); |
3477 #endif /* DEBUG_SLOT_SELECTION */ |
|
3478 rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info); |
|
3479 |
3442 |
3480 if (rv != CKR_OK) |
3443 if (rv != CKR_OK) |
3481 { |
3444 { |
3482 #ifdef DEBUG_SLOT_SELECTION |
3445 DEBUG_SLOT_SEL(" not found\n"); |
3483 fprintf(stderr, " not found\n"); |
|
3484 #endif /* DEBUG_SLOT_SELECTION */ |
|
3485 return; |
3446 return; |
3486 } |
3447 } |
3487 |
3448 |
3488 if ((mech_info.flags & CKF_ENCRYPT) && |
3449 if ((mech_info.flags & CKF_ENCRYPT) && |
3489 (mech_info.flags & CKF_DECRYPT)) |
3450 (mech_info.flags & CKF_DECRYPT)) |
3490 { |
3451 { |
|
3452 if (mech_info.ulMinKeySize > cipher->min_key_len || |
|
3453 mech_info.ulMaxKeySize < cipher->max_key_len) |
|
3454 { |
|
3455 DEBUG_SLOT_SEL(" engine key size range <%i-%i> does not" |
|
3456 " match mech range <%lu-%lu>\n", |
|
3457 cipher->min_key_len, cipher->max_key_len, |
|
3458 mech_info.ulMinKeySize, mech_info.ulMaxKeySize); |
|
3459 return; |
|
3460 } |
3491 #ifdef SOLARIS_HW_SLOT_SELECTION |
3461 #ifdef SOLARIS_HW_SLOT_SELECTION |
3492 if (nid_in_table(ciphers[id].nid, hw_cnids)) |
3462 if (nid_in_table(cipher->nid, hw_cnids)) |
3493 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3463 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3494 { |
3464 { |
3495 #ifdef DEBUG_SLOT_SELECTION |
3465 DEBUG_SLOT_SEL(" usable\n"); |
3496 fprintf(stderr, " usable\n"); |
|
3497 #endif /* DEBUG_SLOT_SELECTION */ |
|
3498 local_cipher_nids[(*current_slot_n_cipher)++] = |
3466 local_cipher_nids[(*current_slot_n_cipher)++] = |
3499 ciphers[id].nid; |
3467 cipher->nid; |
3500 } |
3468 } |
3501 #ifdef SOLARIS_HW_SLOT_SELECTION |
3469 #ifdef SOLARIS_HW_SLOT_SELECTION |
3502 #ifdef DEBUG_SLOT_SELECTION |
|
3503 else |
3470 else |
3504 { |
3471 { |
3505 fprintf(stderr, " rejected, software implementation only\n"); |
3472 DEBUG_SLOT_SEL( |
3506 } |
3473 " rejected, software implementation only\n"); |
3507 #endif /* DEBUG_SLOT_SELECTION */ |
3474 } |
3508 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3475 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3509 } |
3476 } |
3510 #ifdef DEBUG_SLOT_SELECTION |
|
3511 else |
3477 else |
3512 { |
3478 { |
3513 fprintf(stderr, " unusable\n"); |
3479 DEBUG_SLOT_SEL(" unusable\n"); |
3514 } |
3480 } |
3515 #endif /* DEBUG_SLOT_SELECTION */ |
|
3516 |
3481 |
3517 return; |
3482 return; |
3518 } |
3483 } |
3519 |
3484 |
3520 static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id, |
3485 static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id, |
3521 CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids, |
3486 int *current_slot_n_digest, int *local_digest_nids, PK11_DIGEST *digest) |
3522 int id) |
|
3523 { |
3487 { |
3524 CK_MECHANISM_INFO mech_info; |
3488 CK_MECHANISM_INFO mech_info; |
3525 CK_RV rv; |
3489 CK_RV rv; |
3526 |
3490 |
3527 #ifdef DEBUG_SLOT_SELECTION |
3491 DEBUG_SLOT_SEL("%s: checking mech: %x", PK11_DBG, digest->mech_type); |
3528 fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech); |
3492 rv = pflist->C_GetMechanismInfo(slot_id, digest->mech_type, &mech_info); |
3529 #endif /* DEBUG_SLOT_SELECTION */ |
|
3530 rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info); |
|
3531 |
3493 |
3532 if (rv != CKR_OK) |
3494 if (rv != CKR_OK) |
3533 { |
3495 { |
3534 #ifdef DEBUG_SLOT_SELECTION |
3496 DEBUG_SLOT_SEL(" not found\n"); |
3535 fprintf(stderr, " not found\n"); |
|
3536 #endif /* DEBUG_SLOT_SELECTION */ |
|
3537 return; |
3497 return; |
3538 } |
3498 } |
3539 |
3499 |
3540 if (mech_info.flags & CKF_DIGEST) |
3500 if (mech_info.flags & CKF_DIGEST) |
3541 { |
3501 { |
3542 #ifdef SOLARIS_HW_SLOT_SELECTION |
3502 #ifdef SOLARIS_HW_SLOT_SELECTION |
3543 if (nid_in_table(digests[id].nid, hw_dnids)) |
3503 if (nid_in_table(digest->nid, hw_dnids)) |
3544 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3504 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3545 { |
3505 { |
3546 #ifdef DEBUG_SLOT_SELECTION |
3506 DEBUG_SLOT_SEL(" usable\n"); |
3547 fprintf(stderr, " usable\n"); |
|
3548 #endif /* DEBUG_SLOT_SELECTION */ |
|
3549 local_digest_nids[(*current_slot_n_digest)++] = |
3507 local_digest_nids[(*current_slot_n_digest)++] = |
3550 digests[id].nid; |
3508 digest->nid; |
3551 } |
3509 } |
3552 #ifdef SOLARIS_HW_SLOT_SELECTION |
3510 #ifdef SOLARIS_HW_SLOT_SELECTION |
3553 #ifdef DEBUG_SLOT_SELECTION |
|
3554 else |
3511 else |
3555 { |
3512 { |
3556 fprintf(stderr, " rejected, software implementation only\n"); |
3513 DEBUG_SLOT_SEL( |
3557 } |
3514 " rejected, software implementation only\n"); |
3558 #endif /* DEBUG_SLOT_SELECTION */ |
3515 } |
3559 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3516 #endif /* SOLARIS_HW_SLOT_SELECTION */ |
3560 } |
3517 } |
3561 #ifdef DEBUG_SLOT_SELECTION |
|
3562 else |
3518 else |
3563 { |
3519 { |
3564 fprintf(stderr, " unusable\n"); |
3520 DEBUG_SLOT_SEL(" unusable\n"); |
3565 } |
3521 } |
3566 #endif /* DEBUG_SLOT_SELECTION */ |
|
3567 |
3522 |
3568 return; |
3523 return; |
3569 } |
3524 } |
3570 |
3525 |
3571 #ifdef SOLARIS_AES_CTR |
3526 #ifdef SOLARIS_AES_CTR |
3819 for (i = 0; i < hw_ctable_size; ++i) |
3769 for (i = 0; i < hw_ctable_size; ++i) |
3820 tmp_hw_cnids[i] = NID_undef; |
3770 tmp_hw_cnids[i] = NID_undef; |
3821 for (i = 0; i < hw_dtable_size; ++i) |
3771 for (i = 0; i < hw_dtable_size; ++i) |
3822 tmp_hw_dnids[i] = NID_undef; |
3772 tmp_hw_dnids[i] = NID_undef; |
3823 |
3773 |
3824 #ifdef DEBUG_SLOT_SELECTION |
3774 DEBUG_SLOT_SEL("%s: provider: %s\n", PK11_DBG, pkcs11_kernel); |
3825 fprintf(stderr, "%s: provider: %s\n", PK11_DBG, pkcs11_kernel); |
3775 DEBUG_SLOT_SEL("%s: found %d hardware slots\n", PK11_DBG, ulSlotCount); |
3826 fprintf(stderr, "%s: found %d hardware slots\n", PK11_DBG, ulSlotCount); |
3776 DEBUG_SLOT_SEL("%s: now looking for mechs supported in hw\n", |
3827 fprintf(stderr, "%s: now looking for mechs supported in hw\n", |
|
3828 PK11_DBG); |
3777 PK11_DBG); |
3829 #endif /* DEBUG_SLOT_SELECTION */ |
|
3830 |
3778 |
3831 for (i = 0; i < ulSlotCount; i++) |
3779 for (i = 0; i < ulSlotCount; i++) |
3832 { |
3780 { |
3833 if (pflist->C_GetTokenInfo(pSlotList[i], &token_info) != CKR_OK) |
3781 if (pflist->C_GetTokenInfo(pSlotList[i], &token_info) != CKR_OK) |
3834 continue; |
3782 continue; |
3835 |
3783 |
3836 #ifdef DEBUG_SLOT_SELECTION |
3784 DEBUG_SLOT_SEL("%s: token label: %.32s\n", PK11_DBG, |
3837 fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label); |
3785 token_info.label); |
3838 #endif /* DEBUG_SLOT_SELECTION */ |
|
3839 |
3786 |
3840 /* |
3787 /* |
3841 * We are filling the hw mech tables here. Global tables are |
3788 * We are filling the hw mech tables here. Global tables are |
3842 * still NULL so all mechanisms are put into tmp tables. |
3789 * still NULL so all mechanisms are put into tmp tables. |
3843 */ |
3790 */ |